25Minutes: Insights. Expertise. Impact.
In just 25 minutes, I deliver concise and thought-provoking conversations with top minds in technology, cybersecurity, business, culture and enterpreneurship. Whether you’re a technologist, executive, culture-enthusiast or someone passionate about growth, each episode explores trends, strategies and ideas that shape success.
For those with limited time but unlimited ambition, 25Minutes offers actionable insights and fresh perspectives where they matter most. Your time is valuable. Your 25 minutes. Your advantage.
Contact: eliel.mulumba25@gmail.com
25Minutes: Insights. Expertise. Impact.
7 - Qusai AlRabei: OT security is a business strategy - not just SCADA, DCS & PLCs. IEC, WEF, UAE, Middle East, Global Ciso Forum, Cyber AI
In this episode of 25Minutes, I sit down with Qusai, a recognized OT Security Leader and recipient of multiple 2024 awards in the Middle East, including OT Security Leader of the Year and Excellence in Cyber Risk Management in 2024. With a background in mechatronics, hands-on experience across industries and a track record that spans academia and industry, Qusai brings a unique perspective on the evolving landscape of OT security. We dive into his early days in OT and what it takes to drive impactful security initiatives in critical infrastructure. Together, we explore why OT security requires a holistic approach, how OT protocols have changed over time and whether the Purdue model still holds up in today’s environments. Qusai also shares lessons from the Oil & Gas sector in the Middle East and how we in Europe, the U.S. and the rest of the world can learn from it. Plus, a surprising story from a recent audit involving a legacy system that refuses to be decommissioned. If you're looking to improve your OT security strategy with real-world insights, this episode will provide you with a wealth of perspective and precision - all in just 25 minutes.
Important note: The views and opinions expressed in this episode are solely those of the individuals involved and do not necessarily reflect those of any organization, employer or affiliation.
Our Guest:
LinkedIn: https://ae.linkedin.com/in/qusai-alrabei-cybersecurity
https://www.weforum.org/stories/2023/12/why-securing-the-ot-environment-is-important/
25 Minutes Podcast
Hostey by: Eliel Mulumba
Audio editing & mastering: Michael Lauderez
Join conversation on LinkedIn: www.linkedin.com/in/eliel-mulumba-133919147
have you as a guest on our show here 25 Minutes. Qusay, you have a strong background in mechatronics and engineering. You have been one of the top students back in the days. You have contributed to a lot of OT cybersecurity standards that are used worldwide.
Also, IEC 62443, for example, you have been working also for the World Economic Forum. here in Geneva in Switzerland and have shared your perspective on OT security. You were also thinking about doing a PhD. Yeah, there's a much more actually topics that we are really glad to discuss about. And one question that I would like to start with, if you're thinking 20 years back, would you have expected to fulfill the role that you currently have?
Well, at the beginning, walaikum salam, and, uh, the pleasure is all mine, and thanks for having me today. Um, well, I will start from where you finished, if I would dreamt that I'll be here today, and the, I have two answers, so the short answer is, um, definitely no. I was having something else maybe in, in my mind, but I'll, I would like to share with you my journey in, in this interesting field of, of OT security.
So, um, my journey into the OT cybersecurity space has been a quite an interesting one. So unlike many who entered cybersecurity from the IT background, I started in control and robotics, um, engineering between brackets, it's mechatronics engineering, where I worked on designing and. Optimizing industrial automation systems, and this gave me a first hand experience in how industrial control systems operate, their constraints, and why traditional IT security approaches simply don't work in an OT environment.
Over the years, I've I've had the privilege of working with the top OEMs and because I feel proud of working with those OEMs, maybe I can mention them. I work with Rockwell Automation, I work with Siemens, and now I'm working with Schneider Electric. Helping them to integrate cyber security. Into the industrial, um, solutions.
Um, whether it's like power generation, oil and gas manufacturing, um, utilities. Um, I was always and I've been in the heart of securing the real world critical infrastructure and. These experiences have reinforced one key lesson for me that OT security is not just about protecting the industrial network.
It's all about ensuring operational continuity, safety, and resilience. So this is my philosophy.
Mhm. And I mean, Kusai, thank you very much for sharing a bit your Educational and professional beginnings, uh, very interesting to hear how you shifted also from mechatronics and engineering and dive then into the worlds of robotics and industrial control systems. And I would like to understand how has actually your background in mechatronics and engineering influenced your shift into OT security.
That's a perfect question. Actually, you know, my time in academia, because I worked two years in the university as a teaching and research assistant in the, uh, in the domain of the control systems and my time in academia played a huge role in shaping how I approach security today. I spent years teaching and researching control systems.
That allowed me to understand the very fine details of industrial automation, protocols, the, the physics, the behind each system, uh, and how these systems, um, behave that the technical foundation helps me to anticipate how cyber threats can impact. Not just networks, but physical processes themselves. So that was a great added value into the work that I'm doing today.
So that really helped me to bring a holistic approach to I. T. Uh, to the O. T. Cyber security, blending engineering, academia and cyber security expertise to ensure industrial environment are both secure and effective.
Wow. I mean, that's really amazing to say. Thank you very much for sharing that. And if I'm just reflecting on your last year, Uh, you remember we had a lot of conversations, um, following your posts, but also any news that you're posting with regards to OT cybersecurity development in the Middle East. I've seen that you have won a lot of awards.
So on that as a fact or measurement, your year seems to have been very successful. I would like to understand a bit, maybe we start with that. Can you elaborate a bit which awards you actually have won? Last year and why?
So, um, let me start from saying that I've always been privileged being. Part of the Middle Eastern industrial community here. Um, as you're aware, the Middle Eastern countries and, you know, specifically here in, in, in the UAE and Saudi Arabia and the, the Gulf countries here, they're leading. The not only the OT cyber security, but they're leading also the way into the, uh, the, the overall cyber security posture in the world.
And if you see the ranks for these countries, they're always at the top off the of the countries who are leading cyber security. So the maturity level in our countries here. Is very, very mature. And I was always part off that journey and that story. Now, being part off the journey where we everyone here, like the OEMs, the vendors, the government's end users, they all started together, shaping the story off off.
securing the critical infrastructure. And, um, giving the fact that I was at the beginning of this journey, I contributed in, um, in authoring and in developing lots of frameworks for
And
and critical infrastructure.
I was, um, chosen by, uh, different entities and different buddies for, for, uh, different prizes. Uh, my 2024 was the year of luck, uh, for me. So whatever I had done previously, paid off in, in, in 2024. So, um, the, the first, um, price that I got, it was from the. Global CISO Forum, and I got the, uh, the leader of the year of OT cyber security in 2024.
And, um, the other one, it is like the Cyber AI Award in the, in the summit of The cyber and a I as a top cyber security leader in in Middle East and in the media region and the third one. It was the excellence in cyber risk management. So those three were, um, those three different awards were sponsored by the government.
Uh, here in different governments, different end users home. I worked with before I contributed to the to the framework. I contributed to the to the to the posture that they are to the to ensure the maturity off the posture that they have today. So it was like a great recognition, a source of pride for me, and I felt that the work that I've done just paid off.
I have to say again, congratulations for all the awards that you have won. I think this is a huge inspiration also for others that want to dive into the field of OT cybersecurity. And this is actually something that I would like to touch on with you. you would have to start your career again, would be learnings that you would want to share with your younger? or with anyone who wants to grow in the field of ot Cybersecurity.
Actually, I, to answer this question and to, to tackle this issue, um, I took it from different perspective. And instead of just, um, trying to, um, to post blogs here or there, or maybe some people who really interested to get into this field of OT cybersecurity, but they don't have the proper resources because, you know, uh, you're, you're, Fully aware that the resources about the OT cybersecurity are very limited.
Maybe people can go and, uh, read about the, the standards they can read about I 66, 2 4, 4 3 standards different, you know, uh, uh, different controls, different frameworks. But this will never give you the very fine tips and tricks about OT cyber security. If you don't have the hands on experience, you will never succeed in, in, in this domain.
And, you know, imagine that, uh, and I'm always asking this question, will you ever go to a surgeon who learned his, um, uh, surgical skills online or through a simulator? Of course not. You will, you will not give. And, you know, in the industry, if regardless to the, to the titles, the nice titles that you see, if you don't have that strong experience of understanding everything from the very fine details, from the roots.
You will never be a successful OT cyber security expert. So I decided last year to kick off an initiative and it was individual initiative in the, in the, in the cyber security awareness month in last October, try to Uh, to offer my mentorship to the young generations, to the fresh graduates, people who are still at the beginning of their career life, and they are interested about cyber security.
So, uh, I kicked off a campaign trying to share my knowledge, giving them advices and trying to tell them, okay, where to go. And what to learn. Um, sharing resources and sharing experiences that I have, you know, gained over days rather than trying to, uh, read maybe from different resources, which are maybe not available or getting the information from the wrong people.
So I was trying to transfer my knowledge to the young generation to ensure that we are having. A strong and capable experts in the future.
Mhm. Wow. And I mean, based on that you have done, can you maybe share some success stories in terms of, um, improvement that you have recognized also the feedback that you have received from your mentees on the support?
Well, that's, well, that's a great, actually. Um, uh, I took as a first batch, uh, seven, uh, fresh, uh, graduates. And actually, uh, six fresh graduates. One of them is still in the senior year of, uh, of engineering. And I started with them from. The very basics off the control system. So I want them to understand the anatomy off of the control systems and what I transferred and what I always kept telling them that OT is not about only securing the network in the industrial environment.
It's not securing the end point. That is part of the OT, but it's not the full picture. You need to look at it from a more holistic, um, uh, approach. So I started it. Teaching them, especially people who never had the opportunity to work in the industrial control systems or to see PLCs in their entire life.
I set up a lab and start sharing with them how to program a PLC. What is a PLC? What is a controller? What is the difference between, you know, starting from fundamentals of DCS versus PLC and SCADA systems? Tell people. Having a problem in mixing up DCS with with the PLC. So I started from the very basic fundamentals.
Some of them now I claim that they are in a good level of understanding the industrial control systems with the knowledge of cyber security to start, um, a career in the right way. I have two of, uh, Of the engineers that, um, I'm mentoring, they got like, um, an entry level jobs in, uh, in, within, uh, with two of the key OEMs here, and I'm really very proud of them.
So, I, I consider this success not only for them, but for me.
Yes, indeed. That's very true, Kusai. And also thank you again for sharing that. And you touched just about on a couple of topics that are quite important when it's coming to security nowadays, which is about understanding the different environments. the different protocols, but also the different systems that are in use. And I would like to dive a bit deeper into this area and try to leverage here your experience. So companies are trying to build their OT security network architecture based on the Purdue model. And I would like to understand from your point, is this still something that you consider as state of the art and
Well, we can't say that it's the state of the art or the cutting edge, um, technology, because I always believe that in OT cybersecurity, there is like no one size fits all. I am, um, I'm a big supporter of the companies or the end users who, who are trying to develop the OT cybersecurity expertise within their organization.
For a simple reason, because those people understand their processes, their operation, better than anyone else. So the, the, the key here is to understand the operation and to understand the, the process, before understanding the cyber security, um, uh, concerns. So, um, Now back to the, uh, back to your question about the, I totally forgot that question.
Sorry.
About the
Maybe we can cut. Okay,
a new approach?
now back to the to the Bordeaux model. It applies somewhere, but it may not apply everywhere. And again, it depends on the network. Uh, the industrial environment itself. It depends on how. The operation and the process is working. The key factor here is to ensure the proper network segmentation. That is the key here.
We're not. Maybe it's good that we have Bordeaux model as a reference architecture on how the operational systems should be, uh, should be architected and should be designed. And what is the communication and the communication? How the communication flows between the different levels in within the Bordeaux model.
That's great. But we need to keep in mind always what is the application that we have? What is the process that we have and how we are actually configuring this Bordeaux model? So it's all about keeping the network doing a proper segmentation off of the network, micro segmentation, maybe applying the, uh, the new, uh, zero trust approach and into the OT cyber security environment where applicable.
That is the that what matters.
And you were just touching on two very important topics. So microsegmentation is often cited as a solution for securing OT networks. And in this regard, we also hear a lot of conversations around zero trust. What is your take on zero trust for OT actually? Is it realistically achievable? Or just a marketing buzzword.
Well, and in the OT environment, um, again, the we're always talking about the compatibility off the principles that, uh, that are introduced in the in the market to a certain extent with the new, uh, You know, greenfield projects in the OT cyber security. I believe. Yes, we can. We can implement it in. Um, and we can maybe talk about, um, zero trust in in the OT environment where applicable and where the systems are compatible with this approach.
But if we're talking about brownfields and existing networks, maybe it. It would be difficult to consider this for a simple reason because those systems are, does not have the capability to entertain those new concepts and new approaches.
hmm. Mm hmm. Mm hmm. And, and, and one thing that is also often discussed are systems and, uh, let's say standards versus more modern standards, uh, especially when it comes to OT protocols. So most ICS protocols, as you know, such as Modbus, DMP3, and PROFINET were never designed with security in mind. And I'm wondering, what is your take on securing those protocols, um, and how they need to be replaced in the future?
Well, um, this is a very good question because securing the industrial control protocol is something that I've been always overlooked because You know, lots of companies need to, to invest a lot in securing those protocols or to come up with the secure versions of those protocols for the, for the Modbus itself.
Um, you know, there are always talks about, you know, the secure version of the Modbus and there are like some enhancement going on, but you have. Tons of other protocols that are still unprotected. You have, you know, some You have the foundation field bus, you have the BACnet protocol, and then, um, OPC with the advantages and the disadvantages of the OPC, and the DNP3 still also.
So, there are Like a lot of concerns about the industrial protocols, and those are always like part of when we are talking about the legacy off of the control systems. Um, I don't want to surprise you. But a couple of years back, I did, uh, conduct, um, an audit in one of the critical control systems. It was like a cyber security audit, and I found that the most critical system.
They had was still operating on Windows 98. So it was still operational until like a few years back. And, and, you know, when, when, when you're talking about system that's. Tell working on that extremely old version of the windows. So what about the connection? What about the networking part? What about the protocols?
What about the end point security? So the whole system is not a legacy system, but it was from the era off dinosaurs, but still there still in operation. Now our approach here is to protect the is to look at the system as a one piece and try it. protect it and to whitelist whatever exists there and to isolate it from the communication with any other environment around it.
And this is how they keep it. Um, if if you look at the some, some legacy systems are well protected, um, way more than The new systems and you see the threats and and attacks are compromising the new systems more than the legacy systems for a simple, for a simple reason, because they decided just to isolate the system.
Apply like some administrative and technical controls to keep that system resilient to any change. The new systems are like connected to several and many third parties, uh, and sometimes the problem not from the design itself, but how the design is configured and, and the capability and the, the skills of the people who are, um, configuring these, uh, these systems.
Legacy systems still a challenge, still something we, we are always looking at and, um, end users are always advised to, to migrate if migration is feasible and possible for them.
Thank you very much, Kusai, for sharing that, and we're actually also approaching the end of this episode. have been talking about the maturity of OT security in the Middle East region. I see it, especially when I'm talking to my counterparts in Saudi Arabia, but also in UAE, uh, and other countries that the knowledge is pretty high, the policies are pretty strong. Um, and the conversations are always based on a lot of quality. And I would like to understand from you, what can we in Europe, also in the US and the rest of the world learn from the Middle East when it comes to security.
Well, the high maturity level here in the Middle East is driven by demand, and the demand here is to protect the critical infrastructure, which is always the, it's an oil and gas region here, and the oil and gas is considered as critical infrastructure from the upstream operation, the downstream operation of the oil and gas, and So all the, and also the, the petrochemical industries associated with the oil and gas, there was a genuine demand to, to secure these, um, uh, operations.
And from, from that perspective, there was a huge. investment, not only in in the tools and technology, but also in in human resources. There are like a lot of experts, local experts here from from the local experts from from Saudi, Oman and Bahrain. They're investing A lot of time, human resources and money to make sure that their infrastructure is, uh, secure and resilient and able to stay in operation if there are like, uh, some, some threats coming from, from outside.
Now, how. This model can be cascaded to to Europe. Maybe they don't in other countries. Maybe they don't have to reinvent the wheel, but taking the best practices coming from the oil and gas industry and trying to take what is applicable in other industries in Europe or other countries. We need Always to keep in mind that every industry has its own uniqueness.
What applies on the oil and gas maybe has some differences than the pharma industry or the, the auto industry or the food industry. So, but. There are, like, always some common things, common controls, maybe the framework, um, could, could be, uh, replicated. There are always some certain commonalities and, and differences there, and My, um, advice is not to reinvent the wheel, maybe replicating, taking the best practices and trying to start from from there.
And by the way,
Okay.
from different industries and different geographical locations in the world to ensure that people are, um, exchanging the, uh, their, their knowledge and, you know, learning from, from, from each other.
And this is what we need in, in our world today. We, we have access on, on everything and it would be really easier to, um, to learn from the other's experiences.
